Lock down sendmail?

Boris bbresc512-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org
Fri Jan 28 18:47:37 UTC 2005


my 5 cents here. You can use PAM, although it will keep the box busy 
validating requests. So the firewall is still a better choice.
Look up the pam_listfile module. I think it does exactly what you're looking 
for.

Boris.

----- Original Message ----- 
From: "Robert Brockway" <rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org>
To: <tlug-lxSQFCZeNF4 at public.gmane.org>
Sent: Friday, January 28, 2005 7:54 PM
Subject: Re: [TLUG]: Lock down sendmail?


> On Fri, 28 Jan 2005, William O'Higgins wrote:
>
>> what I want.  Basically, this is what I'm hoping for:
>>
>> ACCEPT: local mail only
>> SEND: local mail only
>
> When I need to do this I use a firewall.  It's a Linux box right? 
> Configure iptables to REJECT any attempts to connect to tcp/25 in the 
> OUTPUT chain on the box itself.
>
> This way no one fiddling with Sendmail in the future will accidentally 
> turn on sending again.  Random admins are far less likely to fiddle with a 
> firewall (less know how, less think they know how, most realise the 
> consequences).
>
> If you did want to do with with Sendmail you could try setting the 
> smarthost (DS) as localhost.  I've never tried that.
>
> I really recommend a firewall approach if viable.
>
>> Also, is there a simple way to have sshd drop requests from selected
>> IPs?  This box has been up two days and it is already on some script
>> kiddie's hit list.  Thanks.
>
> Sshd can be compiled with TCP Wrappers support which allows this 
> functionality.  Even better is to again block access through the firewall.
> Even better is to disable password access and only allow access through 
> public key.
>
> Rob
>
> -- 
> Robert Brockway B.Sc.
> Senior Technical Consultant, OpenTrend Solutions Ltd.
> Phone: 416-669-3073 Email: rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org 
> http://www.opentrend.net
> OpenTrend Solutions: Reliable, secure solutions to real world problems.
> Contributing Member of Software in the Public Interest 
> (http://www.spi-inc.org)
> --
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml 


--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list